Saturday, January 24, 2009

Evan Schuman at Storefront Backtalk is reporting that the Secret Service has identified an overseas suspect in the Heartland Payment Systems breach.

Evan also has some other updated info on the breach:

The processor first learned of the breach (when alerted by Visa and Mastercard) in late October/early November, said Heartland spokesman Jason Maloni. Previously, the only comment had been that it had been alerted in late Fall, which could have been as late as Dec. 20.

Maloni also revealed that when the sniffer software had been discovered by Heartland, the application had already been deactivated, presumably by the cyber thieves who had planted it. “It was inactive when we found it,” Maloni said.

Maloni said he didn’t more about the application’s inactive status, such as whether it had been fully terminated or whether it could have been merely dormant, programmed to awaken at some future point. If the Trojan had been deactivated, that could mean that the thieves learned they were being hunted and shut off many such applications to try and make it more difficult for investigators to discover their location.

Carr [Heartland’s CEO Bob] also took the opportunity to push the industry for more openness and data-sharing when it comes to cyber assaults. “I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks,” Carr said. “Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week.” [Think Homeland Security should do this? We could pay for it with increased fines... Oh, wait. We don't fine anyone. Bob]

Again? Help Wanted: Must know something about securing those computer thingys...

Monster.com is advising its users to change their passwords after data including e-mail addresses, names and phone numbers were stolen from its database.

The break-in comes just as the swelling ranks of the unemployed are turning to sites like Monster.com to look for work.

The company disclosed on its Web site that it recently learned its database had been illegally accessed. Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users’ states of residence. The information does not include Social Security numbers, which Monster.com said it doesn’t collect, or resumes.

Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, [“Screw 'em. Besides, we can't afford the postage.” Bob] said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.

USAJobs.com, the U.S. government Web site for federal jobs, is hosted by Monster.com and was also subject to the data theft. USAJobs.com also posted a warning about the breach.

Harvard researchers have accused the developers of tools for dodging the Great Firewall of China of selling data harvested by the software, potentially giving the authorities in Beijing an easy way to identify dissidents.

As well as selling aggregate usage data, software developers were also offering to sell detailed surfing histories of individual surfers for a fee, something that poses an even greater privacy risk, according to an analysis by Hal Roberts from The Berkman Center for Internet Society at Harvard University.

Just 12 hours after this blog highlighted the privacy problems associated with the White House's use of embedded YouTube videos, the Obama team rushed to deploy a technical fix that significantly protects the privacy of many (but not all) of the site's visitors.

Since its launch three days ago, President Obama's White House Web site has included several embedded YouTube videos. While this certainly demonstrates that the 44th president is Web 2.0 savvy, the decision to embed YouTube videos has also enabled the Google-owned video-sharing site to sneakily collect data on the millions of people who visit Whitehouse.gov--even those users who never click the "play" button to actually watch one of the videos.

Next they could ask for the records of everyone on MySpace and see if they can establish a crime. Bragging about downloading a song, robbing a bank, or playing hooky. Who knows, they might find Governors paying for sex, or hackers tapping credit card computers! (It would be cheaper for society if we just executed sex offenders and we are in a recession.)

The Connecticut attorney general's office on Friday served MySpace a subpoena demanding that MySpace hand over the identities of registered sex offenders it claims the social-networking site discovered and subsequently removed from its roster of members.

Connecticut Attorney General Richard Blumenthal also told CNET News that his office is reviewing independent research about registered sex offenders said to still populate the site. Blumenthal declined to comment on whether he plans to take further action.

… From deleted profile information, officials can see whether sex offenders have violated parole by joining a social network and whether they have been communicating with minors on the site.

… A report issued last week by the Internet Safety Technical Task Force concludes that minors are less vulnerable to sexual predation than previously believed.

Interesting. Who do we know in Maui that could host a seminar? (Are they actually saying Judges are stupid and we want to put one of our lackeys in their chambers to make sure they 'do the right thing?')

… Rep. Adam Schiff (D-Calif.) and Rep. Darrell Issa (D-Calif.) reintroduced legislation this week that would start a 10-year pilot program to educate district judges on patent issues. Judges from courts that meet certain criteria would be able to opt into the program, which would provide funds for them to pursue educational opportunities such as patent seminars. The participating courts would also be assigned a clerk with expertise in patent law or the technical issues associated with patent cases. The bill authorizes $5 million a year to carry out the program.

What a great cover story Research Project! I only wish he gave us the URLs that host these downloads so we would know which site to avoid.

… Andy Baio, an independent journalist and programmer, says he has tracked how quickly pirated copies of Oscar-nominated films appear on the Web for the past six years. He logs whether the copies were recorded with handheld cameras or copied from DVDs.

… That may be true, but of this year's 26 Oscar contenders, which were announced on Thursday, 24 are available online in DVD quality, Baio wrote on his site, Waxy.org.

… He says it took longer on average than in years past for pirated copies to be made from the screeners and then make their way online: six days.

A question for all of those Legal Scholars who read my blog: Should we require full disclosure of attacks (network or otherwise) that impact Internet service? (I suspect it would be useful to know if a given vendor was brought to its knees by 10,000 computers or 10,000,000.)

Posted by Soulskill on Friday January 23, @10:08PM from the but-they're-so-friendly dept. The Internet Security

netizen writes

"CircleID is reporting a large-scale DDoS attack affecting all of Network Solutions' name servers for the past 48 hours, potentially affecting millions of websites and emails around the world hosting their domain names on the company's servers. The NANOG mailing list indicates that it is due to a very large-scale UDP/53 DDoS which Network Solutions has also confirmed: 'There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries.""

… Global Internet usage reached over 1 billion unique visitors in the month of December, with 41.3 percent coming from the Asia-Pacific region, according to a report released Friday by comScore.

The study looked at Internet users over the age of 15, who accessed the net from their home or work computers in the month of December.

Warning: Another Bob rant! Rather than admit their plan has flaws (gross underestimation of the cost involved, unrealistic time estimate, take your pick) now they want to “delay” the conversion date without mandating that broadcasters not convert as originally scheduled. Typical.

Posted by Soulskill on Saturday January 24, @08:18AM from the checking-their-priorities dept. Microsoft Businesses Government United States

CWmike writes

"US Sen. Charles Grassley (R-Iowa) told Microsoft this week that US citizens should get priority over H-1B visa holders as the software vendor moves forward on its plan to cut 5,000 jobs. 'These work visa programs were never intended to allow a company to retain foreign guest workers rather than similarly qualified American workers, when that company cuts jobs during an economic downturn,' Grassley wrote in a letter sent Thursday to Microsoft CEO Steve Ballmer. The letter asked Microsoft to detail the types of jobs that will be eliminated and how those cuts will affect the company's H-1B workers."

"Today we are releasing the new official portrait for President Barack Obama. It was taken by Pete Souza, the newly-announced official White House photographer. It is the first time that an official presidential portrait was taken with a digital camera. You can see the portrait [and] download a copy."

… According to the blog i-hacked.com, some programmable road signs are easily messed with, largely because they often have unlocked instrument panels, a text-entry system that is easily accessed, and are often protected with uncomplicated, or unchanged default passwords.

Because Heartland Payment Systems has not really answered the questions of interest to consumers and bloggers like me, I thought -- out of "an abundance of caution" -- that I would compile what we know and create an F.A.Q. on the breach.

1. I never heard of Heartland Payment Systems. Who are they, and how do I know if they have my data?

When you use your credit card or debit card , you provide your card details. Merchants and restaurants all use payment processing companies to handle the card transactions. Heartland is one of the biggest card payment processors in the U.S. It handles transactions for Visa, MasterCard, American Express, Diners Club, Discover, and JCB.

You would have no way of knowing whether they have your data unless you had a list of every one of their 175,000 or so clients and had used your card with one of those clients during the period when their system had been breached.

You can find more information on Heartland on their web site. What you will not find on their home page is any reference to the breach or any link to information about the breach.

2. What happened?

Heartland Payment Systems' security failed to detect that a keylogger had gotten past their firewall. A keylogger records every keystroke you type, like usernames and passwords. According to HPS president Robert Baldwin, the keylogger then propagated a sniffer that started capturing transaction data in real-time. Transaction data includes your name, and credit or debit card number and expiration date.

3. When did the breach occur?

HPS is still scratching its head over that one, but there are published reports that Visa and MasterCard informed credit unions that fraudulent charges were being posted from May 16 - August 19th, suggesting that the breach predates May 2008. HPS either hasn't figured out or hasn't revealed exactly when the breach began and when it ended.

4. How did HPS find out about the breach?

HPS reports that Visa and MasterCard contacted them about suspicious activity. HPS couldn't find anything wrong, and brought in a forensics team, who just last week, reportedly discovered "evidence" of the breach.

5. When did HPS find out about the breach?

HPS has not said precisely when they were first contacted, but some reports indicate that they were notified by Visa and MasterCard in the fall of 2008.

6. What kinds of data were stolen?

Credit card numbers, expiration dates, debit card numbers, and customers' names. In its press release, HPS said that no Social Security numbers, unencrypted personal identification numbers (PIN), addresses, or telephone numbers were involved. The breach affected one of HPS's networks, but not all of them.

7. How many people had their data stolen? I heard it was 100 million accounts.

HPS president Baldwin says that they don't know that yet. As of Jan. 20, they hadn't figured out what data the sniffer actually grabbed, whether the data were sent to an external site, or what data was actually accessed.

The 100 million figure is a distortion of a statement Baldwin made in an interview where he mentioned that HPS processes 100 million transactions per month. First, 100 million transactions per month do not represent 100 million accounts or unique individuals because some people make numerous purchases on their card each month. Second, this breach seemingly went on for well over a month. So how many unique card numbers does HPS process in an 8-month period? We don't know.

8. Is there any indication of fraudulent use of card numbers resulting from this breach?

Yes, indeedy. Although the number of publicly reported cases is relatively small (less than 200 as of Jan. 22), we expect the numbers to rise.

9. Is the breach still ongoing?

HPS says that it has contained the problem.

10. Some reports said that HPS was PCI-compliant but the breach happened anyway. What's that about?

It means that they followed industry standards for security. But industry standards are the floor protections that need to be in place, and do not protect against all breaches. Think "necessary but not sufficient."

11. What should I do?

You can do what I did: make up a dartboard and put HPS in the center and throw darts at it.

Other than that, either wait for your bank, credit union or card issuer to notify you. If you don't want to wait, call them to see if your account was known to be affected. And if you haven't been checking your card and bank statements all along, go back and check them starting in April of 2008.

If you're really nervous, cancel all your cards and have them reissued with new numbers.

12. What is HPS offering or doing to help us if our cards were used for fraud?

Absolutely nothing. They say it would be "inappropriate" to do anything because this cannot lead to ID theft because there were no addresses or PINs or SSN. They did not respond to an inquiry as to whether they would reconsider offering free credit monitoring in light of reports that the breach resulted in fraud.

13. Where can I find out more about the breach and any updates?

HPS set up what has so far been a totally uninformative and useless web site at www.2008breach.com. Your best bet is to read news sites or sites like www.databreaches.net where you will find links to news articles and other updates based on our own queries.

According to a CBS news report, Platte Valley Bank issued the following release today:

The VISA Fraud Control & Investigations has been notified of a confirmed network intrusion that has put VISA account numbers at risk. Platte Valley Bank received a VISA Alert Wednesday, January 21, 2009. As of Thursday morning, January 22nd, 388 of Platte Valley Bank’s Debit Card customers have been affected. The entity type was classified as a “Brick & Mortar 3rd Party Processor”. No word yet on any Credit Cards being affected, but possibly could be, as this is related to the Heartland Payment Systems Breach announced yesterday, January 21, 2009.

The reported incident involves confirmed unauthorized access to a U.S. 3RD party processor’s authorization system of signature-based and PIN-based transaction information, that included cardholder name, expiration date, account numbers and some encrypted PIN blocks. Exposure Window was May 15, 2008 through November 13, 2008.

[...]

The release raises additional questions, including:

How did the window of exposure end on November 13 if Heartland didn’t find any evidence of a breach until last week (and seemingly wouldn’t be able to stop the bleeding until they found out where the problem was)?

Maybe some kind reader with a security background can explain that.

In other Heartland news, Forcht Bank updated the alert on their site and confirmed that their debit card breach was part of the Heartland breach.

It’s not yet known if the Heartland data breach will count as the largest card heist ever. But some analysts say what is clear is that payment-card processors are under increasing attack, and that the Payment Card Industry (PCI) data security standard that Visa and MasterCard require isn’t sufficient to ensure cardholder data is safeguarded.

“Billions is being spent on PCI compliance, but it isn’t really working,” says Gartner analyst Avivah Litan. “PCI’s dirty little secret is that it doesn’t mandate encryption inside a private network because then all the processors would have to encrypt.”

Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered. But Litan notes the complex interconnections among payment-card processers, merchants and banks would make point-to-point encryption extremely unwieldy. End-to-end application-level encryption might be more feasible where card data is originated.

The irony, Litan says, is that some retailers today do encrypt using VPNs to send cardholder data to a payment processor like Heartland, but processors decrypt it to transmit it onward.

Three Mobile County bail bond companies have been illegally accessing the Sheriff’s Office Web site to get personal information on inmates and gain a competitive advantage, authorities said Wednesday.

Bonding agents at A to Z Bail Bonds, Central Bonding and Bandit Bail Bonds somehow obtained a login and password allowing them access to a protected portion of the Web site, Sheriff Sam Cochran said.

The companies then used that information to contact inmates’ relatives and get their business, he said. That gave the companies a leg up on their competitors, who rely on walk-ins and cold calls from the inmates themselves, Cochran said.

No arrests have been made, but charges could be filed later as the investigation progresses, Cochran said

The new website for Obama's White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on site's policies relating to search engine robots, a far more interesting tidbid (sic) has so far escaped the public eye: the White House has quietly exempted YouTube from strict rules regulating to the use of cookies on federal agency websites.

No other company has been singled out and rewarded with such a waiver.

… As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user's browser--even for those users who do not click the "play" button.

… The YouTube-related text in the new White House privacy policy implies that not all users will be tracked by YouTube. The policy notes that:

"If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video."

The Obama administration fell in line with the Bush administration Thursday when it urged a federal judge to set aside a ruling in a closely watched spy case weighing whether a U.S. president may bypass Congress and establish a program of eavesdropping on Americans without warrants.

On January 15, 2009, a US Airways jetliner with 155 people aboard lost power in both engines after taking off from La Guardia Airport. Unable to return to La Guardia, the experienced pilot decided to avoid densely populated areas and directed the plane to the Hudson River.... So how does the public school that educated the pilot over 40 years earlier repay our hero? It honored him not with a plaque, but with the publication of his academic records. According to Fox News, the pilot's school records appeared online a day after the crash and rescue, including a childhood photo, testing history, and IQ.

Comment: Fox News leads off with "The hero pilot who miraculously guided his crippled jet into a textbook landing in the icy Hudson River was a straight-A student as a schoolboy in Denison, Texas — but his school district gets an "F" for making his academic records public." So does Fox News for reproducing the photos of the records. Yes, I know that anything the media gets, they can pretty much use, but even so....

… Thus, in the very near future, we will be releasing a report (also distributed by SANS) on The Business Justification for Data Security. (For the record, I like the term information-centric better, but we have to acknowledge the reality that “data security” is more commonly used).

Normally we prefer to develop our content live on the blog, as with the application security series, but this was complex enough that we felt we needed to form a first draft of the complete model, then release it for public review. Starting today, we’re going to release the core content of the report for public review as a series of posts.

Posted by timothy on Thursday January 22, @06:54PM from the take-that-25-other-letters dept. Programming Software

svonkie writes

"C overwhelmingly proved to be the most popular programming language for thousands of new open-source projects in 2008, reports The Register (UK). According to license tracker Black Duck Software, which monitors 180,000 projects on nearly 4,000 sites, almost half — 47 per cent — of new projects last year used C. 17,000 new open-source projects were created in total. Next in popularity after C came Java, with 28 per cent. In scripting, JavaScript came out on top with 20 per cent, followed by Perl with 18 per cent. PHP attracted just 11 per cent, and Ruby six per cent. The numbers are a surprise, as open-source PHP has proved popular as a web-site development language, while Ruby's been a hot topic for many."

Yesterday, we reported that Piedmont Credit Union in North Carolina had reported that 15 of its members were reporting fraudulent use of their Visa-issued debit cards, mostly at gas stations in Florida. We also reported that Oregon Territory Federal Credit Union members were reporting misuse of their debit cards. At the time of the initial reports, neither credit union was able to identify the source of the breach.

Now Piedmont has issued a statement on its site linking their breach to the Heartland breach. Although the statement does not name Heartland, a spokesperson confirmed to me that it was Heartland being referred to in their announcement.

A spokesperson for Oregon Territory also informs me that they have determined that their breach and fraud reports were also due to the Heartland breach.

In a third credit union breach, a spokesperson for Franciscan Skemp Credit Union informs me that they are as yet unable to determine if the Heartland breach was responsible for their reports, but that approximately 60 members have reported debit card fraud starting at the beginning of December. In their case, most of the fraudulent activity occurred at California retail merchants and gas stations.

Heartland’s initial press release did not indicate that it was arranging for any credit monitor or ID theft restoration services for those affected, and they have not yet responded to an inquiry as to whether they will arrange for such services in light of reports that there has been fraudulent use linked to the breach.

[small update: PCU's newest statement on their site names Heartland as the source of their breach.]

Replacing cards, even with no direct evidence of fraud, suggests they are taking this very seriously.

Maine banks and credit unions were scrambling this morning to assess the scope of a nationwide data breach involving credit and debit cards.

[...]

It was not immediately clear whether Maine customers had been victims of fraud related to the Heartland breach, but some banks were making plans to reissue cards, just to be safe.

Kennebunk Savings Bank has 7,000 MasterCard accounts that potentially could have been compromised. The bank decided this morning that it will send new cards to customers, although it hadn’t gotten any reports of misused cards.

Other banks were waiting for more information, to assess whether their customers were at risk. Bangor Savings Bank, which has 70,000 Visa cardholders, said its internal fraud-detection software had so far not detected any problems. For now, the bank isn’t planning to reissue new cards for all customers.

Number Affected: Unknown, "the company is not yet ready to disclose the number of credit card accounts affected"**

**"Heartland handles over 4 billion transactions per year", Source: Heartland Company History… [Evan] I have to say that this is one of the worst press releases I have ever read announcing a breach. I'll comment below.

Related Another form of mis-information (mis-direction?) with no way small businesses can clear their name. (Another job for the Class Action lawyers?)

Curiouser and curiouser… Forcht Bank’s spokesperson originally told a news source that they had been told by First Data Corporation that a breach involving 8,500 debit cards was due to a retail merchant. Subsequent news stories indicated that Forcht’s breach was part of the Heartland Payment Systems breach. A request for clarification from Forcht was not answered. Now we see another bank that informed its customers that they were recently told that a breach involved a retail merchant. Is there really another breach that involved a merchant or were attributions to a merchant erroneous?

The First Commonwealth Bank sent a letter to customers recently after they were notified by MasterCard of a security breach by a retail merchant.

The trouble, one customer said, is that the bank won’t tell customers which merchant was breached.

First we learned of a breach at RBS WorldPay detected on November 10th that resulted in fraud on at least 100 accounts.

Yesterday we learned of a breach at Heartland Payment Systems that presumably was going on during the fall and that has already been blamed for fraud in approximately 85 cases.

And in-between, we learned of mysterious micro-charges on thousands or millions of debit card and credit card statements that began in mid-November.

Are they all connected? Is there one large cybercrime outfit hitting the payment processors, or is there more than one group responsible for the two large breaches and the micro-charges incident?

Whether Heartland turns out to be the single biggest breach of all times is almost secondary to the larger issue of the state of security or lack thereof. In a recent analysis of 2008 breach data, I disagreed with any suggestion that the financial sector was the most proactive and raised the concern that the financial sector was not keeping pace with threats. It seems somewhat prophetic now. By the end of 2009, what will the figures for the financial sector look like if we could actually get the numbers on number of accounts accessed, etc.? Will 2009 be to the financial sector what 2006 was to the government sector or 2007 and 2008 to the business sector?

...and now for something completely different. The article reads like a chapter from “The Gang That Couldn't Shoot Straight” (This happened in 2004)

An international gang plotted to steal £229 million from customers’ accounts at a leading bank by hacking into computers, a court was told yesterday.

A security supervisor smuggled two Belgian computer hackers into the London offices of Sumitomo Mitsui Banking Corporation by pretending that they were friends who had arrived for a game of cards. The hackers installed spy software that recorded employees’ names and passwords at the bank’s European headquarters in the heart of the City, Snaresbrook Crown Court was told.

[...]

The scheme was foiled because the hackers failed to fill in one of the fields in the Swift system used to make money transfers.

It's been four years since data broker ChoicePoint acknowledged the data security breach that put it in the middle of a media firestorm and pushed data protection to the top of the infosecurity community's priority list.

Since then, the business world has made plenty of progress hardening its data defenses -- thanks in part to industry standards like PCI DSS and data breach disclosure laws (click to see state-by-state map) now in place.

Innovation has created bigger pipes, massive portable storage, stealth Port 80 file sharing and infinite egress points within any organization, Reavis says. It's just not easy to keep up with the security needs of such a beast.

That may be the case to a large extent, but other security experts see specific areas where organizations are simply asleep at the switch.

"All the improvements have come from SB 1386 and other disclosure laws, and as far as I can tell awareness to data risks hasn't increased significantly," says security industry veteran Richard Stiennon.

The Washington Post today is launching Who Runs Gov, a site primarily made up of a database of personalities in the United States government. If you're looking for info on your state's senator or representative, or details about a cabinet or high-ranking military official, it looks like the site could be a valuable resource.

Who Runs Gov is a wiki, powered by MindTouch. Registered users can edit the pages, but changes don't go live until the site's staffers approve the edits. Also, subjects of Who Runs Gov profile pages (or their staff) will be able to submit their own profile information for inclusion on pages about them, a fundamental different to Wikipedia, where you're not supposed to write about yourself.

Is it un-ethical to tap unencrypted communications that happen to wander by on your frequency? Probably more interesting is: How vulnerable is the Blackberry to a subpoena?

Posted by CmdrTaco on Thursday January 22, @08:37AM from the good-cuz-crazy-glue-hurts dept. Security United States Politics

InternetVoting writes

"After all the controversy surrounding Obama's Blackberry, word has come that he will get to keep it. Few details are available and neither the National Security Agency nor the White House are talking. The current rumor is that the Blackberry will be used exclusively for personal use and a Sectera Edge will be used for official communications."

I don't use PowerPoint very often, but there must be some useful information in all of this...

In general terms, SlideServe is a web-based resource that lets you upload any PowerPoint presentation that you have come up with and see what others think about it. This way, you can increase your skills by receiving instant and accurate advice from designers with a higher level of proficiency.

The opening screen spotlights featured presentations and site users, whereas a “Presentation of the Week” section is included for additional reference purposes. The presentations that have received the best ratings and the ones that have been viewed the most are equally highlighted.

Another aspect that merits a mention is that presentations can be shared both on a public and private basis, and if you wish to keep things as widespread as possible the corresponding link can be embedded on social networking sites. Of course, it is always possible to forward the link via e-mail.

By way of conclusion, if the basic premise sounds appealing to you, and you think that your presentation skills still have some way to go, a resource like this can help things improve in a live setting. You can reach it at www.slideserve.com and start sharing on the spot.

Posted by kdawson on Tuesday January 20, @02:44PM from the debit-cards-at-risk dept. Security The Almighty Buck

rmogull writes

"Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems."

One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." [Are they saying the hackers didn't get your home address? Why would that make much difference? Bob] Heartland just put up a press release on the breach.

[From the article:

… Robert Baldwin, Heartland's president and chief financial officer, said the company … began receiving fraudulent activity reports late last year from MasterCard and Visa

… Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. [But apparently not until last week! Bob] But Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.

Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised.

… The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

… Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services. [Certainly not affordable. Bob]

… Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president.

"This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said. "I can't believe they waited until today to disclose. That seems very deceptive."

… This latest breach happened despite the fact that a qualified Payment Card Industry data-security standard, or PCI, assessor found Heartland in compliance with the card networks’ security standards last April, according to Baldwin.

… After bringing in outside investigators and immediately reporting the breach to the U.S. Secret Service and U.S. Justice Department upon confirming it last week, [Why not last year, when Visa told them about it? Bob] Heartland in a news release today described the incident as the possible work of “a widespread global cyber fraud operation.”

… Visa Inc. and MasterCard Inc. first alerted Heartland of suspicious transactions late in the fall, according to Baldwin.

… Asked when the malware was planted, Baldwin says, “we have some strong suspicions, but at this point it’s still speculative. [Translation: We don't know. Bob]

… The breach could be large, according to Avivah Litan, a technology and security analyst at Stamford, Conn.-based Gartner Inc. “Very credible sources tell me this could be at least as big as TJX,” she says, refusing to identify the sources.

… "We really don't have too many more details, but have noticed that credit unions in at least five states from Florida to Oregon have placed 'alerts' on their Web sites about a 'possible breach,' " says Kelly Todd, who helps maintain the Open Security Foundation's DataLossDB.

… According to this story from the TimesTribune.com in Kentucky, Forcht Bank is among those taking steps to protect its customers.

… This story over the weekend in the Kennebec Journal tells of 1,500 customers of the Kennebec Savings Bank in Augusta, Maine being notified that their card information had been compromised. The bank was replacing cards only upon request.

… While there are indications that the malicious software had compromised Heartland's network as long ago as mid-May (Baldwin would not confirm that), he said it was "just last week" that forensic examinations definitively pinpointed Heartland as the source of the breach.

Slightly o/t, but for the second time in one month, we’re seeing reports of phonesystem hacks leaving businesses with huge bills.

[From article one:

A Canadian computer security firm got worse than a lump of coal in its stocking this year -- it got a $50,000 phone bill after someone hi-jacked its phone system and made hundreds of calls to Bulgaria over two weeks.

[From article two:

A small business has a $120,000 phone bill after criminals hacked into its internet phone system and used it to make 11,000 international calls in just 46 hours.

Posted by kdawson on Wednesday January 21, @08:08AM from the by-party-or-parties-unknown dept.

The National Journal just published an article with details about the hacking of Congress in 2006, possibly by agents in China, though the attack's origin is uncertain. The article notes the difficult work of the House Information Systems Security Office, which must set security policies and then try to enforce them on a population of the equivalent of C-level executives. The few members who have called attention to the issue of Congressional cyber-security have been advised to shut up about it, by whom the reporter did not discover.

"Armed with this information about how the virus worked, the security officers scanned the House network again. This time, they found more machines that seemed to match the profile — they, too, were infected. Investigators found at least one infected computer in a member's district office, indicating that the virus had traveled through the House network and may have breached machines far away from Washington. Eventually, the security office determined that eight members' offices were affected; in most of the offices, the virus had invaded only one machine, but in some offices, it hit multiple computers. It also struck seven committee offices, including Commerce; Transportation and Infrastructure; Homeland Security; and Ways and Means; plus the Commission on China, which monitors human rights and laws in China."

CNN: "Barack Obama was sworn in as the 44th president of the United States and the nation's first African-American president Tuesday. This is a transcript of his prepared speech." The video link is here.

Forcht Bank disabled 8,500 customer debit cards this week after learning they could have potentially been hacked into by persons creating duplicate cards.

Eddie Woodruff, chief operations officer for the bank, confirmed that 8,500 of the bank’s roughly 22,000 total debit cards had been deactivated, but the move was primarily a precaution.

“Right now, none of our customers have reported any fraudulent activity on the cards,” Woodruff said. “We’re just trying to take every precaution.”

The cards were comprised when a retail merchant’s computer system was hacked, Woodruff said. The breach affected customers of multiple banks whose cards are processed by the STAR Debit and ATM Network.

[...]

Woodruff said other banks were affected by the problem, but First Data Corporation, which operates the STAR Debit and ATM Network, would not comment on how many were affected.

The STAR system is used by 2 million ATM and retail locations across the country, according to its Web site.

Wouldn't you like to know what approach works? Think of it as an online version of those TV “reality shows” (It's only “security through obscurity” if the website owners knew about it. Otherwise it's “lack of security through stupidity.”) Attention Class Action lawyers?

A popular Web site that helps connect young women with so-called “Sugar Daddies” has fixed a major security hole that - apparently since its inception two years ago — allowed anyone with a Web browser to view the private negotiations between site members.

[...]

Seekingarrangement.com, an adult social networking site that boasts some 300,000 registered users, contained a weakness that allowed anyone to view any conversation thread between two members of the site merely by manipulating one or two characters in the Web site’s Internet address.

Worse yet, potential snoops did not need to be logged into the site to read members’ private messages. In addition, identifying the parties on either end of the transaction also was simple and could be done by non-members.

Security Fix alerted the Web site on Friday, after being contacted by a security professional who asked not to be named. Several days later, the hole was fixed.

Comment: this one poses another interesting challenge. Will seekingarrangement.com notify registered users of the breach, and if so, how? And how will their registered users and perhaps states attorney general respond in light of the TOS and Privacy Policy for the site.

Seekingarrangement.com did not respond to an inquiry about their intention to notify registered users or states attorney general as of the time of this posting.

Similar, but not related? Look at what was revealed and think if you could be identified by a similar disclosure of information.

Saw this posted on a Google support forum and will be following this to see the explanation...

I've discovered the existence of a shadowy Other whose Google wanderings are mysteriously—and inappropriately—showing up in the web history of my Google account. His/her passage is marked by a trail of cyber-crumbs leading to searches for free pornography, dachshund/rat terrier puppies and unemployment benefits in Tuscon, Arizona. How are the Internet searches of an out-of-work, self-stimulating Arizonian aficianado of bizarre dog breeds wind up documented in my Google account?

[...]

I can see the address used as the starting point for several driving direction searches, did a reverse lookup, and got a name associated with the address. This is obviously a significant security breach for the Other. My big concern is that the breach is reciprocal—that the Other can see my searches (and addresses), too, although whoever it is seems to be a pretty unsophisticated user. I would very much appreciate hearing from a Google rep about this security breach—this forum appears to be the only way to contact Google. I've blogged about this--no one seems to know the answer.

Thousands of California residents can sue AOL in their home state for invasion of privacy despite agreements they signed requiring all legal disputes to go before "courts of Virginia" and be guided by Virginia law.

A federal appellate court on Friday cleared a path for a class-action lawsuit to proceed against AOL.

On July 31, 2006, AOL (formerly America Online) placed on a public Web site 20 million search inquiries by 658,000 of its members over a three-month period.

Citing a 1972 U.S. Supreme Court opinion and a 2001 California court of appeal decision, the circuit panel ruled "enforcement of the forum selection clause violates the (California) Consumer Legal Remedies Act," and is unenforceable against California residents. The state's public policy would be violated if its residents were forced to waive their rights to a class action and remedies available under California consumer law, the panel declared.

… The argument is that straightforward. In a few more words, I argue that:

Disruptive online technologies have almost always had an enterprise analog. The Internet itself had the intranet: the use of HTTP and TCP/IP protocols to deliver linked content to an audience through a browser. The result was a disruptive technology similar to its public counterpart but limited in scope to each individual enterprise.

Cloud computing itself may primarily represent the value derived from purchasing shared resources over the Internet, but again there is an enterprise analog: the acquisition of shared resources within the confines of an enterprise network. This is a vast improvement over the highly siloed approach IT has taken with commodity server architectures to date.

The result is that much of the same disruptive economics and opportunity that exists in the "public cloud" can be derived at a much smaller scale from within an enterprise's firewall. It is the same technology, the same economic model and the same targeted benefits, but focused only on what can be squeezed out of on-premises equipment.

Posted by CmdrTaco on Monday January 19, @11:18AM from the like-helping-kids-save-money-for-college dept. Media

An anonymous reader writes

"In a study conducted by TNO for the Dutch government the economic effects of filesharing are found to be positive. According to the 146 page report (available for download, but in Dutch) filesharing is good for the prosperity of the Dutch: with filesharing more media are available, even though this costs the media industry some profit. One of the most noticeable conclusions is that downloading and buying are not mutually exclusive: downloaders on average buy just as much music as non-downloaders, but they buy more DVDs and games then people who don't download. They also tend to visit more concerts and buy more merchandise."

For my website class This works both ways. You can scan the tags for a tool and see examples of sites that use it.

Applied Stacks is a structured wiki dealing with the software systems and tools used to build specific websites. That is, it can be thought of as a unified/centralized variant of the 'Powered By X' or 'Build using Y' lists on specific languages and web frameworks that make up the World Wide Web as a whole.

More than 16,000 websites are already documented, so that it can be said that a lot of ground is covered, and designs ranging far and wide can be found and perused.

… All in all, Applied Stacks is your one-stop destination when it comes to seeing the system behind any site on the Net, and for sharing your knowledge with the world at large by submitting your very own website.

A resource that goes by a suitable name, ClickMeter will enable you to monitor the amount of clicks any link that you specify beforehand receives. Furthermore, this service will allow you to know where the users who click on your links come from, and whenever a person is clicking on more than one link from the ones you set down.

The implementation of this service is quite simple, as all you have to do is key in or cut and paste the relevant link. This link becomes then known as the destination link, and upon submitting it you will receive what is termed a “monitor link” for you to include in your site or blog.

From that point onwards, whenever a user clicks on this link he will be redirected to the destination link, and ClickMeter will collect the data necessary for its analysis.

This service is provided free of charge, but note that a paid version is likewise featured and it includes advanced management options as well as being entirely ad-free. In any case, the free edition acts as a good appetizer, and you will a have a satisfactory idea of what this browser-based tool can do through it.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.